Petya 2.0 - Is It a Ransomware or Corporate Espionage Attack?

By: Govind Rammurthy, CEO & Managing Director, eScan

As the mystery of the Petya attack is unraveling, more information is emerging related to the internal functionality of Petya Ransomware and its desired intentions. Petya, rather than encrypting the files is wiping off data from the first 25 sectors of the hard disk and which is far more destructive than can be imagined. Masked it as a Ransomware, but Petya’s intention is not for financial gains and it never intends to encrypt the data, its sole intention is the destruction of data.

It’s highly unusual behavior for a Ransomware to initiate an infection chain by piggy-backing on third-party software. Throughout the history of Ransomware, it is observed that spam emails are the most favored medium for transportation. But in the case of Petya, it is more of a targeted attack rather than a ransomware attack.

It now seems that this elaborate method of infection routine used by Petya leads us to conclude that this could be a corporate espionage attack. Hence, it is misleading to name it as a ransomware, as it seems a ploy to disguise the original intention of the attack. None of the ransomware, identified till now has shown such a behavior, as this Petya 2.0 targeted attack.

Generally, Trojans / Viruses / Malware have been masquerading themselves as legitimate applications or useful tools viz. virus removal tools etc. However, it is not known to masquerade as a different malicious program, while Petya 2.0‘s behavior shows it as a wiper malware.

Wiper is an application/program, which wipes the data from the disk on execution while a Ransomware encrypts the files and denies access, this is the primary differentiating factor between the two. Wiping of the data from the disk will have very serious consequences and would cripple an organizations business process, with no option to retrieve the critical data.

Way back in Dec. 2010, we had first mentioned about a hypothetical scenario wherein, disk-wiping could be used, partition tables / MBR could be attacked, causing irreparable damage and it seems after seven years Petya 2.0 has been designed with that intention.

Prevention Measures:

· To stay safe from such ransomware attacks, all the organizations and users need to ensure that, the patches released by Microsoft have been updated or patched immediately.

· Administrators should block all executable files from being transmitted via emails.

· Administrators should isolate the affected system in the Network.

· Administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.

· Ensure to install and configure an efficient anti-virus with all security modules active.

i) Real Time Monitoring

ii) Proactive protection

iii) Firewall IDS/IPS Intrusion prevention

· Users shouldn’t enable macros in documents.

· Organizations should deploy and maintain a backup solution.

· Most important, organizations should implement MailScan at the Gateway Level for mail servers, to contain the spread of suspicious attachments.